A business can have functioning servers, healthy bank accounts and a complete set of backups—and still be unable to act. The failure is not technical. The institution has lost a valid chain of authority. This happens when a principal is unreachable, incapacitated or disputed; when two required signatories are in the same aircraft; when a director resigns during an incident; when an adviser holds the only current mandate; or when the technical team can restore the system but nobody present has the authority to approve the consequences of restoring it. Continuity is therefore not just the ability to keep operating. It is the ability to make binding decisions under abnormal conditions without creating an illegitimate centre of power.
Normal governance assumes normal availability
Most authority structures are designed for an orderly week. Meetings can be convened. Counsel can be consulted. The principal can authenticate. A second signatory can answer. The bank can wait. A live incident removes those assumptions. A deadline expires. A market moves. A reporter calls. A compromised account must be frozen. A payroll file must be released. A family member demands access. Several actions may be individually reasonable while mutually inconsistent. The institution then discovers that its emergency plan lists systems and phone numbers but not the legal and operational basis on which a person may decide.
Separate four questions
- Who may decide? The person or body holding the relevant authority under the governing documents and applicable law.
- What may they decide? The precise scope: preservation, expenditure, communications, access, employment, transaction or disposal.
- How is the authority activated? A defined event, evidence threshold, quorum, elapsed time or professional determination.
- When does it end? An expiry, revocation, return of the normal authority holder or formal review.
If any one of these is ambiguous, an emergency delegate may either freeze when action is required or overreach when restraint is required.
The break-glass mandate
A credible break-glass mandate is narrow, legible and rehearsed. It does not appoint an emergency monarch. It creates sufficient authority to preserve the institution until normal governance returns. At minimum, it should define:
- Trigger conditions that can be evidenced without relying on the person whose absence activates the mandate.
- A ranked succession path, including what happens if the first delegate is conflicted or unreachable.
- Permitted preservation actions, spending ceilings and prohibited irreversible acts.
- The systems, advisers and counterparties that must recognise the temporary authority.
- Required records: who decided, what evidence was available, which alternatives were rejected and when the decision must be reviewed.
- Automatic expiry and an explicit hand-back procedure.
The legal instrument and the technical permissions must agree. A signed mandate without access to the relevant systems is decorative. Administrator access without a lawful mandate is dangerous.
Design for contested facts
The most difficult incidents are rarely clean. Two people may disagree about whether the trigger occurred. A family member may challenge a delegate. A fraudster may claim an emergency. A principal may be reachable through an unfamiliar channel but unable to satisfy the normal authentication test. Build an evidence hierarchy before the dispute. Decide which sources are authoritative for identity, incapacity, resignation, conflict and restoration. Require more than one independent fact for high-consequence activation. Preserve the evidence that supported the decision. This is also where outside advisers should be pre-positioned. Counsel, banks, insurers, security teams and communications advisers should know whom they can recognise, what proof they require and what they will refuse. Discovering those requirements during the event wastes the only resource that cannot be restored: time.
Exercise the authority, not only the technology
Operational-resilience testing often proves that a platform can be recovered. The better exercise asks whether the institution can authorise the recovery. Run a short scenario in which the normal authority holder is unavailable and an urgent decision must be made. Observe where the team stalls:
- Nobody can locate the current mandate.
- The mandate names a role that no longer exists.
- The named person lacks the needed authentication device.
- A bank, registrar or provider does not recognise the succession.
- The delegate can preserve assets but cannot communicate with staff.
- No one knows when temporary authority should terminate.
Fix these as governance defects, not as administrative loose ends.
Authority should degrade gracefully
A resilient institution does not leap from full normal authority to chaos. Its decision capacity narrows in a controlled way. Routine actions continue. Preservation actions activate. Irreversible transactions pause. Extraordinary decisions become visible to more than one independent person. That is graceful degradation for governance: less speed and scope, but no ambiguity about legitimacy.
The final question
If the normal decision-maker vanished this morning, who could bind the institution by noon—and could every critical counterparty verify that authority without trusting a forwarded email? If the answer is unclear, the institution does not yet have continuity. It has hope.
